# create an os server
- import_playbook:  "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=os-control-stg:os-control:os-nodes-stg:os-masters-stg:os-nodes:os-masters"

- name: make the box be real
  hosts: os-control:os-control-stg:os-masters-stg:os-nodes-stg:os-masters:os-nodes
  user: root
  gather_facts: True

  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  roles:
    - base
    - rkhunter
    - nagios_client
    - hosts
    - fas_client
    - collectd/base
    - rsyncd
    - sudo
    - { role: openvpn/client,
        when: env != "staging" and 'os-control' not in group_names }

  tasks:
    - name: put openshift repo on os- systems
      template: src="{{ files }}/openshift/openshift.repo" dest="/etc/yum.repos.d/openshift.repo"
      tags:
      - config
      - packages
      - yumrepos

    - name: Deploy controller public ssh keys to osbs cluster hosts
      authorized_key:
        user: root
        key: "{{ lookup('file', '{{private}}/files/os/{{env}}/control_key.pub') }}"

    - name: copy docker-storage-setup config
      copy:
        src: "{{files}}/osbs/docker-storage-setup"
        dest:  "/etc/sysconfig/docker-storage-setup"


    - import_tasks: "{{ tasks_path }}/yumrepos.yml"
    - import_tasks: "{{ tasks_path }}/2fa_client.yml"
    - import_tasks: "{{ tasks_path }}/motd.yml"

  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"

- name: OSBS control hosts pre-req setup
  hosts: os-control:os-control-stg
  tags:
    - os-cluster-prereq
  user: root
  gather_facts: True

  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  tasks:
    - name: fix hosts file
      copy:
        src: "{{roles_path}}/hosts/files/os-hosts"
        dest: "/etc/hosts"
        owner: root
        mode: 0644

    - name: deploy private key to control hosts
      copy:
        src: "{{private}}/files/os/{{env}}/control_key"
        dest: "/root/.ssh/id_rsa"
        owner: root
        mode: 0600

    - name: set ansible to use pipelining
      ini_file:
        dest: /etc/ansible/ansible.cfg
        section: ssh_connection
        option: pipelining
        value: "True"

- name: Deploy OpenShift cluster
  hosts: os-control:os-control-stg
  tags:
    - os-cluster-deploy
  user: root
  gather_facts: True

  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  roles:
    - {
      role: ansible-ansible-openshift-ansible,
        cluster_inventory_filename: "cluster-inventory-stg",
        openshift_release: "v3.9",
        openshift_ansible_path: "/root/openshift-ansible",
        openshift_ansible_playbook: "playbooks/deploy_cluster.yml",
        openshift_ansible_version: "openshift-ansible-3.9.29-1",
        openshift_ansible_ssh_user: root,
        openshift_ansible_install_examples: true,
        openshift_ansible_containerized_deploy: false,
        openshift_cluster_masters_group: "os-masters-stg",
        openshift_cluster_nodes_group: "os-nodes-stg",
        openshift_cluster_infra_group: "os-nodes-stg",
        openshift_auth_profile: "fedoraidp-stg",
        openshift_master_ha: true,
        openshift_debug_level: 1,
        openshift_deployment_type: "openshift-enterprise",
        openshift_cluster_url: "{{ os_url}}",
        openshift_app_subdomain: "{{ os_app_url }}",
        openshift_internal_cluster_url: "os-masters{{ env_suffix }}.phx2.fedoraproject.org",
        openshift_api_port: 443,
        openshift_console_port: 443,
        openshift_shared_infra: true,
        when: env == 'staging',
        tags: ['openshift-cluster','ansible-ansible-openshift-ansible']
      }
    - {
      role: ansible-ansible-openshift-ansible,
        cluster_inventory_filename: "cluster-inventory",
        openshift_release: "v3.6",
        openshift_ansible_path: "/root/openshift-ansible",
        openshift_ansible_playbook: "playbooks/byo/config.yml",
        openshift_ansible_version: "openshift-ansible-3.6.173.0.81-1",
        openshift_ansible_ssh_user: root,
        openshift_ansible_install_examples: true,
        openshift_ansible_containerized_deploy: false,
        openshift_cluster_masters_group: "os-masters",
        openshift_cluster_nodes_group: "os-nodes",
        openshift_cluster_infra_group: "os-nodes",
        openshift_auth_profile: "fedoraidp",
        openshift_master_ha: true,
        openshift_debug_level: 2,
        openshift_deployment_type: "openshift-enterprise",
        openshift_cluster_url: "{{ os_url}}",
        openshift_app_subdomain: "{{ os_app_url }}",
        openshift_internal_cluster_url: "os-masters{{ env_suffix }}.phx2.fedoraproject.org",
        openshift_api_port: 443,
        openshift_console_port: 443,
        openshift_shared_infra: true,
        when: env != 'staging',
        tags: ['openshift-cluster','ansible-ansible-openshift-ansible']
    }

- name: Post-Install setup
  hosts: os-stg:os
  tags:
    - os-post-install
  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - /srv/private/ansible/vars.yml
    - /srv/private/ansible/files/openstack/passwords.yml
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  tasks:
    - name: enable nrpe for monitoring (noc01)
      iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
      tags:
      - iptables

- name: Post-Install master setup
  hosts: os-masters-stg:os-masters
  tags:
    - os-post-install
  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - /srv/private/ansible/vars.yml
    - /srv/private/ansible/files/openstack/passwords.yml
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  tasks:
    - name: Disallow users from provisioning
      command: oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated system:authenticated:oauth
      changed_when: false
      register: command_result
      failed_when: "'unable to find target' not in command_result.stdout"
    - name: Allow some users cluster admin
      command: oadm policy add-cluster-role-to-user cluster-admin {{item}}
      with_items:
      - puiterwijk
      - kevin
      - codeblock
      - smooge
      changed_when: false
